Sanctions are as much a fact of life for modern business as global markets. Financial services firms in particular are devoting increasing attention to sanctions compliance, as they navigate a shifting regulatory landscape in which guidelines are often unclear.
This Economist Intelligence Unit study, sponsored by Deloitte, looks at the sanctions challenge facing the financial services industry and is based on an online survey of 388 executives and managers in the sector, as well as in-depth interviews with experts and corporate leaders. Its key findings include:
Increasing complexity, regulatory rigor, and the inconsistent nature of global regimes are raising the bar for sanctions compliance. Nearly half of respondents surveyed (46%) by the Economist Intelligence Unit consider sanctions compliance a growing concern; and 63% say it has consumed more time, money, and personnel in the last three years. The biggest cause is the growing complexity of the task — cited by 71% of those in the compliance function — as firms need to check a wide variety of available information against ever-longer lists of sanctioned individuals and organizations. These checks generally use automated databases in the first instance, but all too often follow-up searching on the alerts generated through the automated tools must be conducted manually. This process is time consuming and can be expensive, especially if there are a large number of alerts requiring manual review.
Increasing global regulatory rigor in enforcing these requirements has made the task all the more pressing. Meanwhile, inconsistent regulations present notable compliance and, sometimes, legal challenges for organizations, according to interviewees for the study.
Despite a measure of apparent confidence, financial services executives recognize that there is a lack of awareness in sanctions compliance that needs to be addressed. Although 64% of survey respondents believe that their sanctions compliance efforts are sufficient, beneath the surface there is less confidence. Specifically, 45% of C-Suite executives worry that their industry is not sufficiently aware of the implications of sanctions compliance requirements for its business practice, against 30% who disagree. Moreover, among non-banking financial services companies, 46% of respondents believe that they have established an effective sanctions compliance culture. In fact, only 28% have conducted a full sanctions risk assessment — the cornerstone of an effective sanctions program. Examples of areas that need improvement across the respondent group include the following:
- Only 44% of companies have a clear, well-defined sanctions policy.
- At nearly one in four companies compliance staff receive training, at best, just once every two years.
As the sanctions environment changes, the leading programs and strategies are also changing in a variety of areas:
Culture and responsibility for sanctions compliance. Only 56% of companies surveyed say that they have established an effective company-wide culture in this area. The growing importance of sanctions compliance makes it more necessary to create an appropriate culture, which begins with senior management setting the appropriate “tone at the top” for the issue.
Risk management. Companies with well-defined sanctions programs are including risk assessments as part of best practice. Of this group, 70% were either in the process of completing or had already completed a formal sanctions risk assessment in the last two years. Regulators also now expect risk management to play a role in compliance: Office of Foreign Assets Control (OFAC) issued its Economic Sanctions Enforcement Procedures in the U.S. in January 2006 (updated in September 2008) which require that banks have programs in this field consistent with the risk they face. Risk assessments can be beneficial in allocating resources appropriately and designing effective processes. Nevertheless, risk-based approaches may be insufficient to protect against the strict legal liability involved with sanctions compliance, although a well-designed program may lead regulators to mitigate punishments for such breaches.
Information technology. Information technology (IT) is essential for the intensive screening involved in sanctions compliance. The difficulties inherent in the task, and the still-developing state of the software, however, present challenges to global institutions: 44% of those surveyed believe that today’s technology does not meet current requirements without substantial manual assistance and 37% think this will still be true in three years. The overall efficiency of screening technologies — especially the large number of false positives they produce — is a particular problem. Depending on the nature of the products and services offered, technology solutions alone often uncover few real violations without substantial manual follow-up evaluation.
Global programs. Companies that report that they have well-defined sanctions programs are much more likely to have programs that are consistent across the company: 73% of this group set policy at the global level, against just 41% of other survey respondents. Interviewees for this study say they find such an approach more efficient and effective. Of greater importance, global consistency is essential where violations of a particular country’s sanctions can occur anywhere in the world. Although legal restraints can sometimes make it impossible, according to the interviews leading companies are trying, as much as they can, to obey every country’s sanctions everywhere, rather than to have different programs in different countries. More than half of survey respondents based outside the U.S., for example, report using the OFAC list for sanctions screening, and more than a third of non-EU respondents use the EU lists. Still others use aggregate lists that also include the OFAC and EU names, making global homogeneity even more widespread.